Sony Breach, Mandiant Comments & Assumptions

07 Dec 2014

Today Mandiant had reached out to the media sharing some thoughts on the recent compromise.

...This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat.

In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.

We are aggressively responding to this incident and we will continue to coordinate closely with your staff as new facts emerge from our investigation.

Sincerely,
Kevin Mandia

It would be interesting to see what the attackers have to say about this. Please email us, why can't the other side of this story be covered? Can full details be shared that have artifacts to support them other than a dump? How did the compromise occur, what are the complete goals? Can deeper information regarding the length of the attack be shared?

In Response...

Back to the topic at hand. Mandiant is working their tail off around the clock and have provided value to the community over the years. Regardless, it seemed that the industrial and technical norms we all hold might collide with some of these comments.

Most new malware isn’t detected by existing AV solutions, this isn’t new. Looking over the data so far, there are many things Sony could have done to prepare and defend against this attack. One simple example is storing passwords in clear text assuming a compromise won’t happen.

Many may not know that these are the very things attackers do, that is - adapting to the assumptions of their target and exploiting the weaknesses.

While it is true the impact of this compromise is unprecedented, there are strategies and disciplines companies can practice and pursue. The question that looms is what is due care, due diligence, and negligence in regards to security? We can’t minimize any of this impact whatsoever, this is true.

How can we judge the log in our own eye in regards to security? How can security be less about a security group, but every owner in the business?

I know you have always heard the saying that it takes a tribe to raise a child. This reality is becoming a greater truth within the interconnected digital world we all live in.

How can we constantly live with the futility and tension of an ever connected world, while also challenging our own assumptions of what is secure and what isn't?